Coinbase Logo

Social Engineering - A Coinbase Case Study

Tl;dr - Coinbase recently experienced a cybersecurity attack that targeted one of its employees. Fortunately, Coinbase's cyber controls prevented the attacker from gaining direct system access and prevented any loss of funds or compromise of customer information. Only a limited amount of data from our corporate directory was exposed. Coinbase believes in transparency, and we want our employees, customers, and the community to hear the details of this attack and to share the Tactics, Techniques, and Procedures (TTPs) used by this adversary so everyone can better protect themselves.

By Jeff Lunglhofer

Engineering

, February 17, 2023

, 4min read time

Coinbase

Coinbase customers and employees are frequent targets of fraudsters. The reason is simple -  currency in any form, including crypto, is exactly what cybercriminals are after.  It’s not hard to understand why so many adversaries are constantly looking for ways to make a quick profit.

Dealing with such a large number of adversaries and cybersecurity challenges is one of the reasons why I find Coinbase to be such an interesting place to work. In this article we will discuss an actual cyber attack and associated cyber incident we recently dealt with here at Coinbase. While I am very happy to say that in this case no customer funds or customer information were impacted, there are still valuable lessons to be learned.  At Coinbase we believe in transparency.  By talking openly about security issues like this I believe we make the whole community safer and more security aware.  

Our story starts late in the day on Sunday February 5th, 2023.  Several employee mobile phones start to alert with SMS messages indicating that they need to urgently log in via the link provided to receive an important message. While the majority ignore this unprompted message - one employee, believing that it’s an important and legitimate message, clicks the link and enters in their username and password. After “logging in”, the employee is prompted to disregard the message and thanked for complying.  

What happened next was that the attacker, equipped with a legitimate Coinbase employee username and password, made repeated attempts to gain remote access to Coinbase. Fortunately our cyber controls were ready. The attacker was unable to provide the required Multi Factor Authentication (MFA) credentials - and was blocked from gaining access. In many cases, that would be the end of the story.  But this wasn’t just any attacker. We believe this individual is associated with a highly persistent and sophisticated attack campaign that has been targeting scores of companies since last year.

About 20 minutes later our employee’s mobile phone rang. The attacker claimed to be from Coinbase corporate Information Technology (IT) and they needed the employee’s help. Believing that they were speaking to a legitimate Coinbase IT staff member, the employee logged into their workstation and began following the attacker’s instructions. That began a back and forth between the attacker and an increasingly suspicious employee. As the conversation progressed, the requests got more and more suspicious. Fortunately no funds were taken and no customer information was accessed or viewed, but some limited contact information for our employees was taken, specifically employee names, e-mail addresses, and some phone numbers. 

Fortunately, our Computer Security Incident Response Team (CSIRT) was on top of this issue within the first 10 minutes of the attack.  Our CSIRT was alerted to unusual activity by our Security Incident and Event Management (SIEM) system. Shortly thereafter, one of our incident responders reached out to the victim via our internal Coinbase messaging system inquiring about some of the unusual behavior and usage patterns associated with their account. Realizing something was seriously wrong, the employee terminated all communications with the attacker.

Our CSIRT team immediately suspended all access for the victimized employee and launched a full investigation.  Because of our layered control environment, there were no funds lost and no customer information was compromised.  The clean-up was relatively quick, but still - there are a lot of lessons to be learned here. 

Anyone can be social engineered

Humans are social creatures. We want to get along. We want to be part of the team. If you think you can’t be fooled by a well executed social engineering campaign - you are kidding yourself. Under the right circumstances nearly anyone can be a victim. 

The most difficult attack of all to resist is a direct contact social engineering attack, like the one our employee suffered here. This is where the attacker directly contacts you via social media, your mobile phone, or even worse, walks up to your home or place of business.  These attacks aren’t new.  In fact, these kinds of attacks have certainly been happening since the early days of humanity.  It’s a favorite tactic of adversaries everywhere - because it works.  

So what do we do? How do we stop this from happening?

I would like to say this is just a training problem. That customers, employees and people everywhere  need to be better trained. They need to do better - there will always be some truth to that. But as cybersecurity professionals, that can’t be the solution excuse we reach for every time this happens. Research shows again and again that all people can be fooled eventually, no matter how alert, skilled, and prepared they are. We must always work from the assumption that bad things will happen. We need to be constantly innovating to blunt the effectiveness of these attacks while also striving to improve the overall experience of our customers and employees.

Can you share any Tactics, Techniques, and Procedures (TTPs)? 

We sure can.  Given the broad scope of companies being targeted by this actor we want everyone to know what we know.  Here’s a few specific things we recommend you look for in your corporate logs / SIEM:

Any web traffic from your technology assets to the following addresses, where * represents your company or organization name:

  • sso-*.com

  • *-sso.com

  • login.*-sso.com

  • dashboard-*.com

  • *-dashboard.com

Any downloads or attempted downloads of the following remote desktop viewers:

  • AnyDesk (anydesk dot com)

  • ISL Online (islonline dot com)

Any attempts to access your organization from a third party VPN provider, specificallyMullvad VPN.

Incoming phone calls / text messages from the following providers:

  • Google Voice

  • Skype

  • Vonage/Nexmo

  • Bandwidth dot com

Any unexpected attempts to install the following browser extension(s):

As a network defender you should expect to see login attempts to corporate applications from VPN services (e.g. Mullvad), using stolen credentials, cookies, or other session tokens. Attempts to enumerate customer support-focused applications, such as customer relationship management (CRM) applications, or employee directory applications.  And you may see attempts to copy text-based data to free text or file sharing services (e.g. riseup.net)

*****************

Situations like this are never easy to talk about.  They are embarrassing for the employee, they are frustrating for cybersecurity professionals, and they are frustrating for management.  They are just frustrating for everyone.  But as a community we need to be more open about issues like this. If you are a Coinbase customer - be suspicious of anyone asking for your personal information. Never share your credentials, never allow anyone to remotely access your personal devices, and enable the strongest form of authentication available to you. For your Coinbase account, consider switching to a physical security token for access to your account.  If you don’t transact regularly consider using our Coinbase vault solution to provide additional layers of protection for your assets.

If you are an employee of Coinbase or any other company with an online presence - you will be targeted at some point.  Be on guard, particularly if someone calls or contacts YOU.  A simple best practice is to hang up the phone and use a trusted phone number or company chat technology to reach out for help.  Never speak to or provide information or login information to someone who reached out to you first.

If you are a cybersecurity professional, we know that bad people will always do bad things. But we would also do well to remember that good people make mistakes and that our best security controls may sometimes falter.  Most importantly, we should always be willing to learn and try to be better.  We are all human.  That’s one constant that (hopefully!!!!) will never change.

Stay safe!

Coinbase logo